yujunjun/strapi
1
0
Fork 0
mirror of https://github.com/strapi/strapi.git synced 2025-07-11 02:52:16 +00:00
Code Issues Packages Projects Releases Wiki Activity
strapi/packages/plugins/users-permissions/server/controllers/validation/email-template.js

49 lines
886 B
JavaScript
Raw Normal View History

Fix some user permission issue (#6629) * Fix some security issue Signed-off-by: Alexandre Bodin <bodin.alex@gmail.com> * compt node 10 Signed-off-by: Alexandre Bodin <bodin.alex@gmail.com>
2020-06-15 10:34:59 +02:00
'use strict';
const _ = require('lodash');
const invalidPatternsRegexes = [/<%[^=]([^<>%]*)%>/m, /\${([^{}]*)}/m];
Added SERVER_URL to allowed template variables
2022-03-07 16:15:48 +01:00
const authorizedKeys = [
'URL',
'SERVER_URL',
'CODE',
'USER',
'USER.email',
'USER.username',
'TOKEN',
];
Fix some user permission issue (#6629) * Fix some security issue Signed-off-by: Alexandre Bodin <bodin.alex@gmail.com> * compt node 10 Signed-off-by: Alexandre Bodin <bodin.alex@gmail.com>
2020-06-15 10:34:59 +02:00
const matchAll = (pattern, src) => {
const matches = [];
let match;
const regexPatternWithGlobal = RegExp(pattern, 'g');
while ((match = regexPatternWithGlobal.exec(src))) {
const [, group] = match;
matches.push(_.trim(group));
}
return matches;
};
const isValidEmailTemplate = template => {
for (let reg of invalidPatternsRegexes) {
if (reg.test(template)) {
return false;
}
}
const matches = matchAll(/<%=([^<>%=]*)%>/, template);
for (const match of matches) {
if (!authorizedKeys.includes(match)) {
return false;
}
}
return true;
};
module.exports = {
isValidEmailTemplate,
};
Reference in New Issue Copy Permalink